
I like to read Enterprise Risk, the official magazine of the Institute of Risk Management. Not only are its features often of interest, but it includes useful graphics that summarize studies, etc. on a number of useful topics.
In its Summer 2019 issue, the magazine captures the most interesting observations of a study by Baringa Partners (the full report is here).
- Only about 15% of respondents strongly agreed that “Statements provide a clear link with the firm’s strategy”. About 30% disagreed.
- About the same number strongly agreed that “Statements provide a forward-looking view of risk,” while nearly 40% disagreed.
- Only about 10% strongly agreed that “Statements are embedded into business decision-making”. Again, nearly 40% disagreed.
As Baringa comments:
Whilst the majority of firms had risk appetite statements that were set by the Board and which were supported by relevant metrics, 50% of respondents noted that their risk appetite statements did not link to the firm’s strategy or to the actual underlying risk the firm faced, and did not provide a forward looking view of risk.
The regulators want to make sure that firms do not put the continued existence of the organization and the investment stakeholders have made in jeopardy as it pursues profit.
Risk appetite statements I have seen can be general in their language or specific, with metrics against which actual levels might be compared.
When they are general, talking about intent, such as “The Group has zero appetite for regulatory risk and a moderate appetite for the risk of litigation”, it is difficult to see how this affects decisions made either by the board or operating management.
When more specific metrics are established, such as “the Loans to Asset Ratio will be no more than 70%”, actual performance can be compared to the limits to confirm that it is line with board-approved guidance.
But does such a comparison do enough to drive behavior in a dynamic environment? It is difficult to see how it is more than an after-the-fact check rather than a driver of management actions.
This is especially true when activity across the organization needs to be aggregated to compare to enterprise-level limits. For example, if I set an enterprise level target of “the Loans to Asset Ratio will be no more than 70%” but I have to aggregate Loans and Assets numbers across multiple business units and countries, how do I guide a Loan Officer in Guyana whether to approve a loan?
Let’s step back and think about what we are trying to achieve.
While the regulators focus on preventing failure through reckless risk-taking, stakeholders should be concerned whether management and the board are taking the right risks for success (i.e., not just avoiding failure).
Success is achieved, and failure avoided, when management and the board make informed and intelligent decisions.
Do risk appetite statements lead people to make informed and intelligent decisions?
If they are not:
- Linked to the firm’s objectives and strategies for achieving them, and
- Forward-looking, and
- Embedded into every important business process, and
- Measurable and actionable…
…they will have little effect on decision-making or success. Arguably, they have little effect on avoiding failure as well.
I am not persuaded that ISO’s risk criteria are necessarily the answer either!
Rather than providing guidance and limits on risk, I prefer to consider:
- What decisions have to be made for success?
- What could go wrong and what needs to go right?
- What information do decision-makers need?
- Who needs to make the decisions and who needs to be involved?
- How I can guide decision-makers to take the right level of the right risks?
- How do I monitor performance to know when poor decisions are made?
Maybe the answer includes risk appetite statements.
Maybe there are some aspects that you cannot really quantify.
Maybe you will have to rely on after-the-fact detection in some cases.
You certainly have to satisfy the regulators.
But you should also customize what you do to the needs and practices of the organization.
I am not persuaded that risk appetite statements should be the core around which risk management practices and programs are built.
What do you think?
- When enterprise risk-based audit plans are not enough - November 15, 2023
- More useful information about cyber risk - October 18, 2023
- How do you measure internal audit effectiveness? - October 3, 2023